ansible-vault
is used to encrypt variable definitions, keys, and other sensitive data
so that they can be securely accessed from a playbook. Ansible 2 (not
yet released) has some useful security improvements to the ansible-vault
command-line interface.
Don't write plaintext to disk
Earlier, there was no way to use ansible-vault without writing sensitive
plaintext to disk (either by design, or as an editor byproduct). Now one
can use “ansible-vault encrypt” and “ansible-vault decrypt” as
filters to read plaintext from stdin or write it to stdout
using the new --output option.
# Interactive use: stdin → x (like gpg)
$ ansible-vault encrypt --output x
# Non-interactive use, for scripting
$ pwgen -1|ansible-vault encrypt --output newpass
# Decrypt to stdout
$ ansible-vault decrypt vpnc.conf --output -|vpnc -
These changes retain backwards compatibility with earlier invocations of
ansible-vault and make it possible to securely automate the creation and
use of vault data. In every case, the input or output file can be set to
“-” to use stdin or stdout.
A related change: “ansible-vault view” now
feeds plaintext to the pager directly on stdin
and never writes plaintext to disk. (But “ansible-vault edit” still
writes plaintext to disk.)
Automated rekeying
The vault accepts a --vault-password-file option to be
specified in order to avoid the interactive password prompt and
confirmation.
With Ansible 2, “ansible-vault rekey” accepts a
--new-vault-password-file
option that behaves the same way, so it's possible to rekey an
already-encrypted vault file automatically, if you pass in a script that
writes a new vault password to its stdout. (This operation also doesn't
leak plaintext to disk.)
An incidental bugfix also makes it possible to pass multiple filenames
to ansible-vault subcommands (i.e., it's now possible to encrypt,
decrypt, and rekey more than one file at once–this behaviour was
documented, but didn't work).
(Unfortunately, many more
important vault changes
didn't make it to this release.)